The EU's General Data Protection Regulation (GDPR) goes into effect on May 25, but many companies are still not in compliance with its rules, according to a new report from AvePoint and the Centre for Information Policy Leadership (CIPL).

In a survey of 235 multinational organizations, 60% said they do not have any procedures in place to identify and tag data—leaving them in the dark about the sensitive and confidential content they hold within their information, and how it's used or treated, according to the report.

For those unaware, the GDPR establishes formal regulations regarding data protection for organizations located in the EU, or those that work with EU clients. If a business is found to be non-compliant with the rules, they can be fined up to 4% of their annual global revenue, or €20 million.

"The report shows that companies are not where they need to be in terms of compliance efforts. GDPR merely exacerbates how much oversight is needed to enforce changes down to the individual level," AvePoint's chief risk, privacy and information security officer Dana Simberkoff said in a press release. "The long road ahead is quickly becoming a short path as we approach the May 25, 2018 date. This assessment magnifies areas that need major improvement. Knowing where you are on the GDPR readiness scale is half the battle."

More than one third of organizations said they had no framework or procedures in place to identify and classify risk to different individuals, the report found. Another third said they were currently working on developing such a framework.

Global companies are also providing additional staff to their GDPR implementation efforts: 32% of organizations surveyed said they had committed more staff to this project, an increase from under a quarter last year, the report found.

Building and maintaining a comprehensive privacy compliance program was one of the largest areas of impact on organizations on the journey to GDPR compliance, the report found. More than half of organizations surveyed said they had committed additional budget to GDPR implementation, ranging from hundreds of thousands of dollars to $50 million. Technology tools and software were the no. 1 priority for GDPR-focused spending, according to the report.

"GDPR implementation consists of multiple layers of complexity," Bojana Bellamy, president of CIPL, said in the release. "The survey reveals that while some progress has been made in preparation for 25 May 2018, there is more work to be done by organisations that will have to step up their implementation efforts across many key-change areas. Reviewing data management strategies, building new comprehensive compliance programs, and putting in place new systems, processes and procedures to facilitate the changes are crucial to successful GDPR implementation."

Stay up to date on all the latest security news. Click here to subscribe to the TechRepublic Cybersecurity Insider newsletter.